Schwab site vulnerable to hackers

[William Knowles <wk () C4I ORG>]

http://www.zdnet.com/zdnn/stories/news/0,4586,2662137,00.html

By Troy Wolverton, Special to ZDNet
December 6, 2000 5:45 PM PT

Charles Schwab & Co.'s Web site is vulnerable to a well-known attack
that could allow a hacker to gain access to sensitive account
information, the financial services company acknowledged Wednesday.

Reported by San Francisco-based programmer Jeff Baker on the Bugtraq
security mailing list on Wednesday, the vulnerability involves
"cross-site scripting." The vulnerability, which uses popular Web
programming languages such as JavaScript to hijack a customer's Web
browser, is similar to one acknowledged by E*Trade Group Inc. in
September.

By exploiting the vulnerability, "malicious users can fool other
users' Web clients...which allows them to do things such as stealing
that client/server's cookies," Elias Levy, Bugtraq's moderator and the
chief technology officer of SecurityFocus.com, wrote in an advisory.
Calling the vulnerability a "common flaw," Levy blamed the problem in
part on "the lack of good practices by programmers of Web-based
applications."

Although security experts first issued a warning against cross-site
scripting in February, security experts believe that dozens of sites
may still be vulnerable to the attack.

Baker said he first notified Schwab of its vulnerability in late
August. Although he exchanged several emails with Schwab about the
problem, the company did not close the vulnerability, he said.

A fix on the way "The flaws still exist, and I have no reason to
believe that they are in the process of being fixed," Baker said in
his advisory on Bugtraq. "Schwab should strive to fix problems when
given (four)-month advance notice. They should raise their ethical
standards to alert their paying customers whenever a system
vulnerability is reported."

But Schwab spokesman Greg Gable said the company has been working as
quickly as possible to address the problem. After being notified of
the vulnerability in August, Schwab took some minor steps to protect
customers, he said. And Schwab plans to completely close the
vulnerability by early next year via a computer change, he said.

"We take security issues extremely seriously," Gable said. "We take
aggressive steps to minimize the risk."

But Gable played down the risk for customers, calling it a "very, very
narrow possibility." Gable said the delay in closing the vulnerability
had to do with balancing the ease of use of the site and the need to
test the fix before implementing it.

"With a large system and a large customer base, we need to test
thoroughly," he said.

Cross-site scripting allows hackers to run dangerous code within a Net
user's browser or email client. Basically an attack on a Schwab user
could allow the hacker to have access to all of the customer's account
actions -- such as buying and selling stocks or transferring funds
while the customer was logged on to his account.

To protect against such an attack, Baker warned Schwab customers to
disable JavaScript in their browsers, avoid accessing other Web sites
or opening email while logged on to their Schwab accounts, and
completely log off Schwab's site and close browsers when finished
accessing accounts.



*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".